What Is Zyrln?
Zyrln is a proxy/censorship-circumvention tool built by ajavadinezhad that routes traffic through Google's infrastructure to bypass Iran's SNDPI filtering, and it is aimed at Iranian developers, indie hackers, and power users who need blocked sites without a classic VPN fingerprint. Zyrln is one of the best Proxy Tools tools for Iranian users because it can reach Google services directly with fragmented TLS and can relay everything else through Google Apps Script, a VPS, or Cloudflare Workers, with each Google account allowing up to 20,000 relay calls per day.
This is not a generic VPN wrapper. Zyrln splits the problem into two transport paths, which lets Google services move at near-native speed while non-Google traffic is disguised as normal Google-hosted traffic before it exits to the public internet.
Quick Overview
| Attribute | Details |
|---|---|
| Type | Proxy Tools |
| Best For | Iranian users who need censorship bypass without a VPN fingerprint |
| Language/Stack | Go, Google Apps Script, Cloudflare Workers, Android, desktop GUI |
| License | N/A |
| GitHub Stars | N/A as of Feb 2026 |
| Pricing | Open-Source |
| Last Release | N/A |
Who Should Use Zyrln?
- Iran-based developers who need stable access to Google services, GitHub, docs, and cloud consoles without showing a conventional VPN signature.
- Power users and sysadmins who can tolerate a short setup flow and want a browser proxy plus optional SOCKS5 support.
- Indie hackers running a cheap VPS who need non-Google sites through a relay chain and prefer Google Apps Script as the front door.
- Android users who want the same profile exported from desktop and imported on mobile with device-specific CA installation.
Not ideal for:
- Users who want one-click consumer VPN behavior with zero configuration.
- People who cannot or will not use a Google account.
- Teams that need enterprise support, audited compliance, or a managed SLA.
Key Features of Zyrln
- TLS fragmentation for Google traffic — Zyrln splits the TLS ClientHello into tiny fragments so SNDPI cannot reconstruct the SNI fast enough to block Google domains. That means YouTube, Gmail, Drive, and Meet can work directly, without any relay node in the middle.
- Google Apps Script relay front door — For blocked non-Google destinations, Zyrln uses Apps Script as the public-facing ingress. From the censor's perspective the traffic looks like ordinary Google-hosted traffic, which makes crude IP-based blocking much harder.
- Pluggable exit relays — The exit layer can be a VPS on port
8787or a Cloudflare Worker. That separation keeps the Google-facing endpoint lightweight while the exit relay handles real web fetching and can be swapped without changing the client profile. - Desktop GUI plus Android client — Zyrln ships with a desktop app and an Android APK. Profiles can be exported from desktop and imported on mobile, which avoids hand-editing JSON on a phone.
- Local proxy ports for browser and system use — The app exposes HTTP proxy
127.0.0.1:8085and SOCKS5127.0.0.1:1080. That makes it usable at the browser level or across the whole OS when you need more than a single tab. - HTTPS interception with user-installed CA — Zyrln can decrypt and re-encrypt HTTPS locally after you install its CA certificate. This is required for non-opaque proxying of HTTPS sites and is the main trust boundary you have to manage.
- Source build with Go 1.25+ — The project includes
make desktop,make proxy,make android, andmake test. That makes it easy to audit the transport logic, reproduce builds, or strip out the GUI if you only want the proxy core. - Operational quotas and diagnostics are documented — Zyrln notes the Google Apps Script daily quota and points users to a diagnostics workflow when nothing loads or when HTTPS fails. That is useful because failures are usually config problems, not core transport bugs.
Zyrln vs Alternatives
| Tool | Best For | Key Differentiator | Pricing |
|---|---|---|---|
| Zyrln | Iran-specific censorship circumvention | Google-native traffic patterns plus Apps Script relay chaining | Open-Source |
| Psiphon | General censorship bypass with minimal setup | Mature circumvention network and simpler onboarding | Freemium |
| Outline | Self-hosted access for private teams | Standard server-based tunnel with admin control | Open-Source |
| Cloudflare WARP | Low-friction encrypted tunneling | Managed client with less DIY infrastructure | Freemium |
Zyrln wins when you need Google access plus a transport that does not look like a standard VPN. It loses when you want a mainstream, fully managed circumvention client, in which case Psiphon is easier.
Pick Psiphon when you want the least operational work and do not care about transport specificity. Pick Outline when you already run a private server and want a standard tunnel model with familiar server administration.
Pick OpenTrace when you need to inspect where the relay chain stalls, because Zyrln failures are often timing, quota, or certificate issues rather than raw connectivity. Pick djevops when you want scripted VPS provisioning and firewall setup for the exit relay instead of doing the server work by hand.
If you want to compare more adjacent options, browse all Proxy Tools. If your team needs secret handling for the auth key and relay URLs, DataHaven is a better companion than a transport tool.
How Zyrln Works
Zyrln uses a split-path design. The direct path sends Google-bound traffic straight to Google while fragmenting the TLS handshake so the censor cannot reliably extract the SNI field, and the relay path sends everything else to an Apps Script endpoint that forwards requests to an exit relay under your control.
That design matters because Iran's SNDPI logic can block by reading TLS metadata, but it has a much harder time with fragmented handshakes and traffic that originates from a Google-hosted service. Zyrln does not try to be a full mesh VPN, and that is the point; it uses Google as the camouflage layer and keeps your actual exit node simple.
The local client is the control plane. It stores the Apps Script URL, shared auth key, and optional exit relay key, then opens a local proxy listener that your browser or system routes through. HTTPS sites need the CA certificate so the proxy can terminate and reissue certificates locally, which is standard for a MITM proxy and also the part that deserves the most scrutiny.
The result is a transport stack with two very different performance profiles. Google services can stay direct and fast, while everything else pays the extra hop through Apps Script and the exit relay, which is the correct trade-off if your priority is staying usable under censorship rather than minimizing hop count.
# start the core proxy from source
make proxy
# point your browser at the local proxy
# HTTP proxy: 127.0.0.1:8085
# SOCKS5 proxy: 127.0.0.1:1080
The command above starts the relay-capable proxy core, then exposes local ports for browser or OS-level routing. After that, you should expect the GUI to show a connected state only once the Apps Script relay URL, auth key, and CA trust are configured correctly.
Pros and Cons of Zyrln
Pros:
- No dedicated server for Google-only traffic — Direct Mode reaches Google services without a VPS or Worker, which cuts cost and removes one more blockable endpoint.
- Low-signature transport — Fragmented TLS against SNDPI is more specific than a generic VPN tunnel and can survive basic filtering that kills ordinary proxies.
- Flexible deployment model — You can run the exit layer on a VPS or Cloudflare Worker, which lets you trade cost, control, and operational complexity.
- Desktop and Android coverage — The same config can move between platforms, which is useful when you need continuity across laptop and phone.
- Source-available and buildable — Go source plus
maketargets make the transport path inspectable and reproducible. - Clear operational limits — The project documents quotas, certificate steps, and diagnostic checks, which reduces guesswork during setup.
Cons:
- Not zero-config for full access — Instagram, Twitter, Telegram, and other non-Google sites require the full relay chain, not just Direct Mode.
- Google account quotas apply — Apps Script has a per-account call limit, so heavy usage may require multiple deployments or accounts.
- CA installation is mandatory for HTTPS — If you skip certificate setup, HTTPS sites will fail or throw SSL errors.
- Trust surface is larger than a plain VPN — You are trusting Google Apps Script, the exit relay, and a local certificate authority on your device.
- Banking and cert-pinned apps may break — Apps that pin certificates or perform custom TLS validation often reject proxy interception.
Getting Started with Zyrln
git clone https://github.com/ajavadinezhad/zyrln.git
cd zyrln
make desktop
After the build finishes, run the desktop app, create a profile, paste your Apps Script URL and auth key, then click Connect. If you only need Google services, enable Direct Mode and point your browser at 127.0.0.1:8085; if you need broader access, finish the exit relay setup first and install the CA certificate.
If you prefer a mobile-first flow, build the Android APK with make android or install a release build from GitHub, then import the desktop config into the phone app. The first-run checklist is short: proxy endpoint, auth key, relay URL, and CA trust.
Verdict
Zyrln is the strongest option for Iranian users who need Google access and a low-fingerprint relay path when SNDPI is blocking by SNI rather than by IP. Its biggest strength is the Google-native transport trick; its main caveat is the extra setup for non-Google sites. Use it if you can handle a short configuration workflow and want an open-source path instead of a conventional VPN.
